Microsoft Exchange - Reflected Cross-Site Scripting (CVE-2021-41349)
- Severity
- CVSSv3 Score
- 6.5
- Exploitable with Sniper
- No
- Vulnerability description
Microsoft Exchange is affected by a Cross-Site Scripting (XSS) vulnerability, located in the Autodiscover endpoint. The root cause of this vulnerability consists in the lack of input validation in the URL query string. An attacker can exploit this vulnerability to inject malicious JavaScript code in the URI.
- Risk description
The risk exists that a remote unauthenticated attacker could exploit this vulnerability and send malicious URLs to the Exchange clients which can then steal their unencrypted usernames and passwords if accessed.
- Recommendation
Upgrade the Exchange server to the latest version.
- References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41349
https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41349
- Detectable with
- Network Scanner
- Vuln date
- Sep 2021
- Published at
- Updated at
- Software Type
- Email server
- Vendor
- Microsoft
- Product
- Exchange Server
- Codename
- Not available